Skillset

Welcome back to this series, where we are covering CCNA security topics using Cisco Packet Tracer for our labs. In the previous labs, we focused on the Cisco ASA and configured features like routing, ACL, NAT, and VPN.

In this lab, we will move on to the Cisco IOS and look at privilege levels on Cisco IOS devices and also configure role-based access control on these devices. There are several articles on the Intense School site that you may want to go through first, such as this and this.

For this article, we will be using a lab setup as shown below:

Two files are attached to this article:

priv_lvl_rbac_init.pkt: This Packet Tracer file contains the lab setup with the devices configured with basic IP settings in the 10.0.0.0/24 subnet. R1 is configured as .1, R2 as .2 and PC0 as .100. A line password of “cisco123” has been configured on R1 and SSH has been enabled on R2.

When anyone telnets to R1, they should be placed at a privilege level of 2. An administrator should be able to access privilege level 15 with a password of “cisco123”. Do not configure usernames for this task.

Still on R1, connections with a privilege level of 2 should be able to perform any configuration on ANY interface.

On R2, create two CLI views – Helpdesk and NOC. The Helpdesk CLI view should have a password of “helpdesk” and should be able to ping and view interface status (i.e., show interfaces). The NOC CLI view should have a password of “NOC” and be able to do everything the Helpdesk CLI view can do including being able to perform any configuration on interfaces.

Create two users on R2 with the following username/password credentials: helpdesk/helpdesk and NOC/NOC. When the “helpdesk” user logs in, the user should use the “enable view Helpdesk” command to access the Helpdesk CLI view. In the same way, when the “NOC” user logs in, the user should use the “enable view NOC” command to access the NOC CLI view. Assume that users will login via Telnet/SSH.

Lab Solutions

Task 1: Line Privilege

Since this task specifies that usernames should not be configured, then the only other option we have is to configure the privilege level on the VTY lines. By default, when we login via Telnet to a VTY line on a Cisco IOS device, we are placed at privilege level 1 as shown below:

We can use the privilege level line configuration command to change the default privilege level for a VTY line. For this task, we will assign a privilege level of 2 to the VTY lines. The task also requires that an administrator be able to access privilege level 15. To do this, we can configure an enable password/secret. When you configure an enable password/secret without specifying any level, you are effectively configuring an enable password/secret for privilege level 15.

Therefore, our configuration on R1 is as follows:

line vty 0 4
privilege level 2
!
enable secret cisco123

To test this configuration, we will login via Telnet again and check the privilege level; we will then try to gain access to privilege level 15:

Task 2: Changing privilege level for commands

By default, you need to be in privilege level 15 to be able to configure a Cisco IOS device. Therefore, if we want users at privilege level 2 to be able configure interfaces, we need to move the relevant commands down to that level.

Before we make any configuration changes, look at the commands available to a user at privilege level 2:

Note: There may be more commands on a real Cisco IOS device than on Packet Tracer.

The configuration to allow privilege level 2 users configure interfaces is as follows:

Hint: The “all” option in the command privilege configure all level 2 interface allows the sub-options under interface to be placed at the same privilege level.

We can verify our configuration by logging into the router and viewing the commands available at each level:

Note: You may get some unexpected behavior with the privilege level command on Packet Tracer. For example, if you use the privilege configure all level 2 interface command without the “all” option, privilege level 2 users will not be able to configure any interface.

Task 3: Role-based CLI access

Changing command privilege levels like we did in the previous task can be quite cumbersome; a better way is to use CLI views. To create views, you need to be in the root view (which is different from privilege level 15). Before you can use CLI views, you must enable AAA and also configure an enable password/secret as follows:

aaa new-model
enable secret cisco123

Now, to create CLI views, we must enter the root view using the enable view command from the privilege EXEC mode. We will need to enter the enable secret to gain access to the root view:

On a real Cisco IOS device, we will be able to tie usernames to specific CLI views but that’s not available in Packet Tracer. Therefore, a user needs to manually access a CLI view using the enable view command.

The configuration for this task is as follows:

username helpdesk secret helpdesk
username NOC secret NOC

To test this configuration, we will first login using the helpdesk username:

Cool! Let’s now test the NOC user:

Summary

This brings us to the end of the lab, where we have looked at privilege levels and RBAC on Cisco routers. I hope you have found this lab insightful.

Adeolu Owokade is a technology lover who has always been intrigued by Security. He has multiple years of experience in the design, implementation and support of network and security technologies. He's a CCIE (Security) with a new found love in writing.

About Intense

Intense School has been providing accelerated IT training and certification for over 12 years to more than 45,000 IT and Information Security professionals worldwide. Come see why we have the highest pass rates in the industry!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam